From cc5f66524a3d7d411c7f2a02541ccecd2648a88d Mon Sep 17 00:00:00 2001 From: Inkvi Date: Thu, 30 May 2024 14:18:07 -0700 Subject: [PATCH] Add vulnerability scanning --- .github/workflows/docker-publish.yml | 11 ++++++++++- .github/workflows/vuln-scan.yml | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/vuln-scan.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index af7c73f..388f538 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -24,7 +24,6 @@ jobs: images: | ${{ env.IMAGE_NAME }} tags: | - type=sha type=semver,pattern={{raw}} labels: | @@ -57,3 +56,13 @@ jobs: labels: ${{ steps.meta.outputs.labels }} cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache cache-to: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache,mode=max + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.21.0 + with: + image-ref: ${{ env.IMAGE_NAME }}:latest + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/vuln-scan.yml b/.github/workflows/vuln-scan.yml new file mode 100644 index 0000000..8fa8202 --- /dev/null +++ b/.github/workflows/vuln-scan.yml @@ -0,0 +1,25 @@ +name: build +on: + workflow_dispatch: + pull_request: +jobs: + signer: + name: Build and Scan Signer + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image + run: | + docker build -t signer . + + - name: Peptide vulnerability scan + uses: aquasecurity/trivy-action@0.21.0 + with: + image-ref: 'signer' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' \ No newline at end of file